Cryptolocker: The evolution of extortion

Cryptolocker, the latest ransomware, may be newsworthy, but it's been hyped, too, says expert

The Cryptolocker Trojan is an evolution of "ransomware," not a revolutionary change from past criminal attempts to extort money from PC owners, a security expert said today.

And the recent media blitz about the ransomware has elements of exaggeration about it.

"There is a bit of hype," said John Shier, a senior security advisor for U.K.-based Sophos, in an interview today. "Actually, it's only the latest incarnation of ransomware."

Ransomware is a category of malware that, once on a system, encrypts files and then tries to convince users to pay to decrypt them so they can again be opened. The crimeware has been in active circulation since at least 2005, with traces harking back as far as 1989.

But reports of Cryptolocker, which first appeared earlier this year, have been more prominent and persistent than any of its predecessors.

Why is that?

"It's taken lessons [from those ancestors] of how to do things better," said Shier, who repeatedly argued that Cryptolocker was not revolutionary, but evolutionary in its tactics and techniques. "It's not the first to use a public key," Shier cited as an example. Public-key cryptography relies on a pair of digital keys, one public, which is stored on the victimized PC, the other private, which is not. Instead, Cryptolocker ships that private key to the cyber-criminals, who hold it until payment is received.

Cryptolocker is newsworthy for several reasons, said Shier, who ticked off the near-impossibility of cracking the encryption; the fact that each compromised PC generates its own public-key pair, so acquiring one private key doesn't help others whose machines have been infected; the encryption of not only local files, but also those on accessible networks; targeting valuable user-made content, not the operating system; and its high ransom price, which can reach into four figures.

The Swansea, Mass. Police Department, for instance, paid $650 for a pair of Bitcoins to get its files back after a PC was infected with Cryptolocker, according to a report by the Herald News of Fall River, Mass. Both Swansea and Fall River are in southeast Massachusetts.

At Tuesday's exchange rate, the Swansea Police Departments two Bitcoins would cost more than $1,300.

Sophos, however, has seen very few Cryptolocker-infected PCs among those it protects. According to Shier, of the 16 million covered by Sophos' security software, it's counted fewer than 300 infections.

Shier offered a caveat, however. "It's not that big of a deal in businesses [which is Sophos' forte] because they have other defenses in place," he said, including robust spam filters, attachment blocking and multiple layers of security. "For consumers, it would be a little worse, I think, since many don't have those kinds of tools."

Shier sympathized with those whose files been encrypted by Cryptolocker, and although he stuck to the universal advice of all security experts to not pay the ransom -- something that increases their return on investment and so encourages them to continue -- said he understood why some may feel it's the only, or at least the least onerous, solution.

Sans backups, users facing Cryptolocker are essentially out of luck, he acknowledged. While the malware itself can be relatively easily scrubbed from the system, the already-encrypted files will remain encrypted.

One piece of advice, however, might help those who see the demand in the future. "Unplug the computer immediately," Shier said, pointing out that on a desktop PC, quick action may limit the damage because it takes time for the malware to encrypt every file it's targeted.

Sadly, Cryptolocker and its ilk won't go away until there's no profit to be made. "I don't see any evidence that [ransomware] won't continue," Shier said. "It's all about the monetization. As long as there's enough profit margin enough, they'll keep doing it."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies